This is the accessible text file for GAO report number GAO-12-949T
entitled 'Medicare: Action Needed to Remove Social Security Numbers
from Medicare Cards' which was released on August 1, 2012.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittees on Social Security and Health, Committee on
Ways and Means, House of Representatives:
For Release on Delivery:
Expected at 9:30 a.m. EDT:
Wednesday, August 1, 2012:
Medicare:
Action Needed to Remove Social Security Numbers from Medicare Cards:
Statement of Kathleen M. King:
Director, Health Care:
Daniel Bertoni:
Director, Education, Workforce, and Income Security Issues:
GAO-12-949T:
[End of section]
Chairman Johnson, Chairman Herger, and Members of the Subcommittees:
We are pleased to be here today to discuss our review of the options
presented by the Department of Health and Human Services (HHS) and its
agency, the Centers for Medicare & Medicaid Services (CMS), for
removing Social Security numbers (SSN) from Medicare[Footnote 1] cards
and the agency's cost estimates for these options.[Footnote 2]
More than 48 million Medicare cards display an SSN as part of the
health insurance claim number (HICN). The HICN plays an essential role
in the administration of the Medicare program and is used by CMS to
interact with beneficiaries and providers, and by other agencies that
play a role in determining an individual's eligibility for Medicare.
[Footnote 3] However, thieves can steal the information from Medicare
cards to commit various acts of identity theft, such as opening
fraudulent bank or credit card accounts or receiving medical services
in a beneficiary's name. In 2010, 7 percent of households in the
United States, or about 8.6 million households, had at least one
member age 12 or older who experienced identity theft, according to
U.S. Department of Justice figures. The estimated financial cost of
identity theft during that year was approximately $13.3 billion.
[Footnote 4] Theft of this information can also result from a data
breach--the unauthorized disclosure of a beneficiary's personally
identifiable information.[Footnote 5] Between September 2009 and March
2012, the HHS Office for Civil Rights identified over 400 reports of
provider data breaches involving protected health information that
each affected more than 500 individuals.[Footnote 6]
The importance of enhancing security protections for the display and
use of SSNs has resulted in multiple actions by federal and state
governments and the private sector. For example, the Social Security
Administration (SSA) has advised for years that individuals not carry
their Social Security card with them. In 2007, the Office of
Management and Budget issued a directive to all federal agencies to
develop a plan for reducing the unnecessary use of SSNs and exploring
alternatives to their use.[Footnote 7] Many federal agencies,
including the Departments of Defense (DOD) and Veterans Affairs (VA),
have taken significant steps to remove SSNs from their health
insurance and identification cards. In the private sector, health
insurers have also removed SSNs from their insurance cards in an
effort to comply with state laws and protect beneficiaries from
identity theft. In 2004, we reported that CMS determined it would be
cost-prohibitive to remove the SSN from the Medicare card.[Footnote 8]
Subsequently, CMS issued a report to Congress in 2006 describing an
option for removing the SSN and estimated it would cost over $300
million to do so.[Footnote 9]
Our remarks are based on our report released today,[Footnote 10] which
describes the various options for removing the SSN from the Medicare
card and examines the potential benefits, burdens, and CMS's cost
estimates associated with the various options. To conduct this work,
we reviewed CMS's 2011 report to Congress,[Footnote 11] as well as
supporting documentation provided by CMS. We also interviewed
officials from CMS, SSA, and the Railroad Retirement Board (RRB), as
well as officials at DOD, VA, and representatives of private health
insurers and other stakeholders. More information on our scope and
methodology is provided in the full report. Our work was performed in
accordance with generally accepted government auditing standards from
January 2012 to July 2012 for both the full report and for this
statement.
In its November 2011 report, CMS presented three options for removing
SSNs from Medicare cards. One option would truncate the SSN so that
only the last four digits would appear on the card. However, the full
SSN would continue to be used by both beneficiaries and providers for
all Medicare business transactions. The other two options would
replace the display of the SSN on the Medicare card with a newly
developed identifier that CMS calls the Medicare Beneficiary
Identifier (MBI). In one of these options, this new identifier would
be used by the beneficiary in their interactions with CMS; however,
the provider would continue to use the SSN to interact with CMS. In
the other, both the beneficiary and provider would use the new
identifier printed on the Medicare card and the SSN would be entirely
excluded from the transaction. CMS, SSA, and RRB reported that all
three options would generally require similar efforts, including
coordinating with stakeholders; converting information-technology (IT)
systems; conducting provider and beneficiary outreach and education;
conducting training of business partners; and issuing new cards. While
the level and type of modifications required to IT systems would vary
under each option, the one involving use of a new identifier by both
beneficiaries and providers would require somewhat more-extensive IT
modifications. However, CMS has not committed to implementing any of
the three options presented in its report. Nor did CMS consider other
options in its 2011 report, such as how machine-readable technologies,
including bar codes, magnetic stripes, or smart chips, could assist in
the effort to remove SSNs from Medicare cards. CMS officials told us
that they limited their options to those retaining the basic format of
the current paper card, and did not consider options that they
believed were outside the scope of the congressional request.
Of the three options presented in CMS's 2011 report, we found that
replacing the SSN with a new identifier for use by beneficiaries and
providers offers beneficiaries the greatest protection against
identity theft. Under this option, beneficiaries' risk of identity
theft would be reduced in the event that their card was lost or stolen
because the SSN would no longer be printed on the card. In addition,
because providers would not need the SSN to interact with CMS, they
would not be required to collect or maintain this information,
reducing the beneficiaries' vulnerability in the event of a provider
data breach. In addition, this option presents fewer burdens for
beneficiaries and providers relative to the others. Under this option,
the new identifier would be printed on the card, and beneficiaries
would use this identifier when interacting with CMS, eliminating the
need for them to memorize their SSN or store it elsewhere as they
might do under the other options. This option may also present fewer
burdens for providers because they would not have to query a CMS
database or call CMS to obtain a beneficiary's information to submit
claims as they would with the other two options.[Footnote 12]
Regardless of the option, the burdens experienced by CMS would likely
be similar because CMS would still need to conduct many of the same
activities and incur many of the same costs. For example, it would
need to reissue Medicare cards to current beneficiaries; conduct
outreach and education to beneficiaries and providers; and conduct
training for business partners. In addition, similar modifications to
state Medicaid IT systems would be required under each option in order
to process information on individuals eligible for both Medicare and
Medicaid.[Footnote 13] However, according to CMS officials, the option
that calls for replacing the SSN with a new identifier to be used by
beneficiaries and providers would have additional burdens because of
the more extensive changes required to CMS's IT systems compared to
the other options.
In its report, CMS, in conjunction with SSA and RRB, estimated that
altering or removing the SSN would cost between $803 million and $845
million, depending on the option selected. Approximately two-thirds of
the total estimated costs (between $512 million and $554 million) are
associated with modifications to existing state Medicaid IT systems
and CMS's IT-system conversions.[Footnote 14] While modifications to
existing state Medicaid IT systems and related costs are projected to
cost the same across all three options, the estimated costs for CMS's
IT-system conversions vary because of differences in the number of
systems affected, and the costs for modifying affected systems for the
different options. Both SSA and RRB would also incur costs under each
of the options.[Footnote 15] SSA estimated that implementing any of
them would cost the agency $95 million, and RRB estimated costs
totaling between $1.1 million and $1.3 million, depending on the
option.
However, we have four key concerns regarding the methods and
assumptions CMS used to develop its cost estimates that raise
questions about their reliability. First, CMS did not use any cost-
estimating guidance when developing its estimates. CMS officials
acknowledged that the agency did not rely on any such guidance, for
example GAO's,[Footnote 16] in developing its report.[Footnote 17]
Second, the procedures used to develop estimates for the two largest
cost categories--changes to existing state Medicaid IT systems and
CMS's IT-system conversions--are questionable and not well documented.
[Footnote 18] For example, CMS's estimates for certain costs were
based on data collected in 2008, at which time the agency had not
developed all of the options presented in the 2011 report.[Footnote
19] In addition, while CMS asked for cost data from all states, it
received data from only five states--Minnesota, Montana, Oklahoma,
Rhode Island, and Texas--and we were unable to determine whether these
states are representative of the IT-system changes required by all
states. For CMS's own IT systems, cost estimates for required
modifications were approximately three times higher than those in the
agency's 2006 report.[Footnote 20] CMS could not explain how or why a
number of these systems would be affected under the three options.
Officials also could not explain the variance in the costs to modify
these systems across the options and could provide only limited
documentation on the development of CMS's estimates. Third, we
identified inconsistencies in some assumptions used by CMS and SSA in
the development of the estimates. For example, CMS and SSA used
different assumptions regarding the number of Medicare beneficiaries
that would require new Medicare cards. Fourth, CMS did not take into
account other factors when developing its cost estimates. For example,
CMS did not consider possible efficiencies that could be realized by
combining IT modifications required to remove SSNs with related IT
modernization efforts. The agency also did not attempt to calculate
potential savings due to the reduced need to monitor compromised SSNs
if they were removed from Medicare cards.
In conclusion, nearly six years have passed since CMS first issued a
report to Congress that explored options for removing the SSN from the
Medicare card, and five years have elapsed since the Office of
Management and Budget directed federal agencies to reduce the
unnecessary use of the SSN. While CMS has identified various options
for removing the SSN from Medicare cards, the agency has not committed
to a plan for such removal. Lack of action on this key initiative
leaves Medicare beneficiaries exposed to the possibility of identity
theft. Therefore, we recommended that CMS select an approach for
removing the SSN from the Medicare card that best protects
beneficiaries from identity theft and minimizes burdens for providers,
beneficiaries, and CMS; we also believe CMS should develop an
accurate, well-documented cost estimate for such an option using
standard cost-estimating procedures.
In responding to a draft of the report on which this testimony is
based, CMS concurred with our first recommendation to select an
approach that best protects beneficiaries from identity theft while
minimizing burdens for beneficiaries and providers. CMS also concurred
with our second recommendation, stating that it would conduct a new
estimate and utilize GAO's suggestions to strengthen its estimating
methodology. SSA, RRB, and DOD, had no substantive comments and did
not comment on the report's recommendations. VA concurred with our
findings.
Chairman Johnson, Chairman Herger, and Members of the Subcommittees,
this completes our prepared statement. We would be pleased to respond
to any questions you may have at this time.
If you or your staff have any questions about this testimony, please
contact me at (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni at
(202) 512-7215 or bertonid@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this statement. GAO staff who made key contributions to this
testimony are listed in appendix I.
[End of section]
Appendix I: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Kathleen King, (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni,
(202) 512-7215 or bertonid@gao.gov.
Staff Acknowledgments:
In addition to the contacts named above, the following individuals
made key contributions to this statement: Lori Rectanus, Assistant
Director; Thomas Walke, Assistant Director; David Barish; Carrie
Davidson; Drew Long, and Andrea E. Richardson.
[End of section]
Footnotes:
[1] Medicare is the federal health insurance program for individuals
over the age of 65, individuals under the age of 65 with certain
disabilities, and individuals with end-stage renal disease.
[2] Centers for Medicare & Medicaid Services, Update on the Assessment
of the Removal of Social Security Numbers from Medicare Cards
(Baltimore, Md.: November 2011).
[3] For most individuals, the Social Security Administration (SSA) is
responsible for determining eligibility for Medicare and assigning the
HICN. However, for the approximately 550,000 Railroad Retirement
beneficiaries and their dependents, the Railroad Retirement Board
(RRB) is responsible for determining eligibility and assigning the
HICN.
[4] Lynn Langston, Identity Theft Reported by Households, 2005-2010,
NCJ 236245 (Washington, D.C.: U.S. Department of Justice, Office of
Justice Programs, Bureau of Justice Statistics, November 2011).
[5] For the purposes of this statement, we define a data breach as the
unauthorized acquisition, access, use, or disclosure of individually
identifiable information.
[6] We use the term provider to refer to any organization,
institution, or individual that provides health care services to
Medicare beneficiaries. These include hospitals, nursing facilities,
physicians, hospices, ambulatory surgical centers, outpatient clinics,
and suppliers of durable medical equipment, among others.
[7] Office of Management and Budget Memorandum M-07-16, Safeguarding
Against and Responding to the Breach of Personally Identifiable
Information (Washington, D.C.: May 22, 2007).
[8] GAO, Social Security Numbers: Governments Could Do More to Reduce
Display in Public Records and on Identity Cards, [hyperlink,
http://www.gao.gov/products/GAO-05-59] (Washington, D.C.: Nov. 9,
2004).
[9] Centers for Medicare & Medicaid Services, Report to Congress:
Removal of Social Security Number from the Medicare Health Insurance
Card and Other Medicare Correspondence (Baltimore, Md.: October 2006).
[10] GAO, Medicare: CMS Needs an Approach and a Reliable Cost Estimate
for Removing Social Security Numbers from Medicare Cards, [hyperlink,
http://www.gao.gov/products/GAO-12-831] (Washington, D.C.: Aug. 2,
2012).
[11] Centers for Medicare & Medicaid Services, Update on the
Assessment of the Removal of Social Security Numbers from Medicare
Cards (Baltimore, Md.: November 2011).
[12] There may be some initial burdens for providers and beneficiaries
under any of the three options presented by CMS. For example,
according to CMS officials, some providers may be required to update
their IT software and beneficiaries may be confused by any change to
their identifier.
[13] State Medicaid programs are jointly-funded federal-state health
care programs that cover certain low-income individuals.
[14] CMS would incur $261 million as the federal share of the
estimated total of $290 million. The remaining $29 million would be
the responsibility of the states.
[15] Both SSA and RRB perform Medicare-related activities and would
need to make changes to their business processes and IT systems as a
result of any of the options to remove SSNs from Medicare cards. SSA
determines Medicare eligibility for persons who receive or are about
to receive Social Security benefits, enrolls those who are eligible
into Medicare, and assigns them a HICN. Though CMS prints and
distributes the Medicare card, beneficiaries often contact SSA when
they need a replacement card. RRB is responsible for determining
Medicare eligibility for qualified railroad retirement beneficiaries,
enrolling them into Medicare, assigning HICNs to these individuals,
and issuing Medicare cards to them.
[16] GAO, Cost Estimating and Assessment Guide: Best Practices for
Developing and Managing Capital Program Cost, [hyperlink,
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009).
[17] CMS developed its estimates in conjunction with SSA and RRB by
examining cost categories that included potential modifications to IT
systems, reissuance of Medicare cards, and beneficiary outreach and
education.
[18] In addition to Medicaid IT-system modification costs, this cost
category includes related costs, such as business-process changes,
training, and updates to system documentation.
[19] CMS officials told us that the new identifier for beneficiary use
and new identifier for beneficiary and provider use options had
already been developed at the time CMS requested data from the states,
but the agency did not include the truncation option when it requested
data from the states.
[20] In its 2006 report to Congress, CMS estimated that removal of the
SSN from Medicare cards would cost approximately $338 million, of
which $80.2 million was attributable to start-up costs for IT-system
modifications.
[End of section]
GAO’s Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the
performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates
federal programs and policies; and provides analyses, recommendations,
and other assistance to help Congress make informed oversight, policy,
and funding decisions. GAO’s commitment to good government is
reflected in its core values of accountability, integrity, and
reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each
weekday afternoon, GAO posts on its website newly released reports,
testimony, and correspondence. To have GAO e-mail you a list of newly
posted products, go to [hyperlink, http://www.gao.gov] and select
“E-mail Updates.”
Order by Phone:
The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black
and white. Pricing and ordering information is posted on GAO’s
website, [hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
Connect with GAO:
Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov].
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm];
E-mail: fraudnet@gao.gov;
Automated answering system: (800) 424-5454 or (202) 512-7470.
Congressional Relations:
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548.